Business owners and IT executives need to perform a quick business impact analysis (BIA) to identify the company’s critical business processes.
Most businesses are unprepared for a pandemic like Covid-19 that could incapacitate 30 percent or more of staff and dramatically impair revenue streams even though they have decent disaster recovery/business continuity plans that address catastrophes that destroy or impair infrastructure.
Unlike most catastrophes that are local, this pandemic will impact business in multiple sites globally and has the ability to put an entire enterprise at risk. The current coronavirus Covid-19 pandemic has rapidly slowed revenue streams and is creating operational chaos internally, impairing coverage and resources from business partners and suppliers, hindering responsiveness to customers and business partners, shaking shareholder confidence, and debilitating the chain of command.
Business owners and IT executives need to construct and implement a pandemic business continuity plan that mitigates its risks to acceptable levels and ensures the company can continue to operate over the extended crisis period in all key areas as needed.
Covid-19 could end up infecting millions of people worldwide and the various lockdowns and restrictions on activities could reduce staffing in critical business processes to the point where minimum operating requirements may not be met. Best estimates today project the virus could peak before the end of April while a worst-case scenario puts the peak out in August.
Business owners and IT executives need to perform a quick business impact analysis (BIA) to identify the company’s critical business processes, dependencies, internal and external infrastructure, process flows, supply chain, and minimum operating requirements. This analysis needs to address all aspects of the business and must look at the risks and level of severity of the impacts so that actions can be prioritized and implemented.
Impact on telecommunications, web and cell phones
For example, a critical process that is currently done onsite may need to be done remotely via telecommuting, cell phones and/or Web access. That may have worked well in previous runs but under a stress load where a multitude of companies are all shifting to the same or similar workarounds, the external infrastructure may not be able to handle the load without delays or blockages. New tools may need to be acquired (SaaS tools with good self-help capabilities are perfect for this) and people trained so that they are productive at home. Creativity may also be needed to address some of the unplanned bottlenecks.
Security procedures are another area that needs to be reevaluated. For example, many companies have implemented multi-factor authentication (MFA). With Covid-19 being transmitted through touch and surfaces holding the virus live for hours, the use of fingerprints may no longer be a desired approach. MFA may need to be put on hold or non-contact methods found, while a virtual private network (VPN) may need to be implemented for the remote staff to shield the internal traffic flow.
According to a study by VPN vendor Atlas VPN, VPN usage in the U.S. grew by 53 percent between March 9 and 15. Continued rapid growth could cause networking choke points and bottlenecks of all types, impairing productivity. Moreover, many home broadband and Wi-Fi networks may not meet business certification standards. IT security personnel should require remote individuals to submit screenshots of their Wi-Fi configurations to validate encryption and other security components are being used.
Similarly, the shift of workloads to home computers may impact data privacy and protection. If this is new for certain people and processes, IT executives will need to evaluate the impact and put in place new protections to keep the company compliant with California’s CCPA, the EU’s GDPR, and other privacy regulations. Employees must also be made aware of the privacy and security elements that they are responsible for when they are working remotely and, in some cases, using their own PCs or laptops. It is also desirable for the company to have a way for these newly remote individuals to acknowledge or sign a document that says they understand their responsibilities.
Supply chain, logistics
Current processes and business continuity plans should be studied to see if they are optimal for a pandemic continuity plan or if the processes or the inputs/outputs associated with them need to change. For example, delivery of supplies may be delayed or disrupted due to lack of transport personnel or a product shutdown somewhere in the supply chain. Or the prices could have escalated dramatically. Alternatives would need to be found. Would this change improve the probability of the critical process being completed in a timely fashion or would it make matters worse? If so, what is the process flow implication? Will just-in-time processes need to be adjusted – temporarily or permanently?
Keeping the wheels greased
One factor that must be addressed (and is obvious from an organization chart or a process map) is that there are individuals in various departments that are key players that keep the wheels greased and whose extended absence or unavailability may result in a process grinding into low gear or worse. These people need to be identified and an impact analysis must be performed on each of these critical employees or workers. It should be noted that age group alone will not determine susceptibility to disease and thus personal factors such as age, children, and personal health should not be used as a basis for risk. Furthermore, use of such factors in the analysis could result in legal issues later on and thus should be avoided.
A best practice for analyzing the staffing is to create four categories of staffing needs and then to put people and/or groups into each of the categories.
The four categories are as follows:
- Staff that must be at work
- Staff that must work but can work from home
- Staff that could work at home but not essential
- Non-essential staff with no requirement for them to work
In each of the key areas it will be important to drill down on the people and the processes together as a team, as the resolution to many issues touches upon multiple components. For example, for people who will need to work on site, there will be a requirement to ensure that the facilities are sterilized, that face-to-face meetings be eliminated or minimized to less than 10 at a time, communication of the status and key FAQs are being disseminated, etc. For teleconferencing video conferencing keeps the communications lines open better than audio and therefore should be used where possible.
The pandemic continuity planning team will also have to examine and build contingencies for outsourced services. It is reasonable to assume that business partners and suppliers of all types will undergo the same or similar constraints that the team is addressing for the company. Thus, one cannot assume that workflow can proceed as normal even if the enterprise is well locked down and functional. All elements of the supply chain and contracted services need to be studied, worse case scenarios developed, and strategies and workarounds defined as quickly as possible.
Messaging and communications
Messaging is going to be a vital component when the plan is completed and conveyed to business partners, the board of directors, employees (non-management), management, regulatory agencies, shareholders, staff, and suppliers. In addition, when it is executed, it will also have to be communicated to the community at large and customers.
How well this is done will impact the success of the Covid-19 pandemic plan. The content and frequency of communication will vary by the stage the company is in (plan development, test, standby, or execution). RFG recommends that the messaging plan be put in place once agreed upon. In this case the sooner people are aware that the company is prepared for Covid-19 pandemic and will be operational in some form, the better it is for the company’s image.
Enterprises must expeditiously update and execute their disaster recovery/business continuity plans to address the Covid-19 pandemic. As people are already noticing, the Covid-19 pandemic is impacting and impairing an organization far differently than the other forms of catastrophes that enterprises have dealt with over the last few decades.
Executives will quickly need to analyze and act upon business relationships, policies, all processes, and resources to ensure that the company can continue to function over the potential of three waves of human outages that could span the initial lockdown period that could last through May or August – as well as the repeat hits in the fall and winter – and sideline 30 percent or more of staff and other personnel.